Single Award or Multi-Cloud?: Public Policy And Department Of Defense Cloud Computing – Analysis

The lack of clarity in the current JEDI procurement process

On September 13, 2017, Deputy Secretary of Defense Patrick Shanahan issued a Memorandum on Accelerating Enterprise Cloud Adoption and established a Cloud Executive Steering Group (CESG) led by Undersecretary for Acquisition, Technology and Logistics Ellen Lord. The CESG is the executive entity reporting directly to the Deputy Secretary to promote the rapid implementation of a Joint Enterprise Defense Infrastructure (JEDI), the initiative to accelerate movement to the cloud.

From inception, the CESG was widely seen as favoring a single-award cloud services provider (CSP), following in the direction taken by the Intelligence Community (IC) in its selection of Amazon Web Services (AWS) as its service provider, which took effect in 2013.

Undersecretary Lord buttressed this impression with her remarks at the Reagan National Defense Forum on December 2, 2017 by stating, “We are, no kidding, right now writing the contract to get everything moved to one cloud to begin with and then go from there.”1 Subsequently, a JEDI strategy document leaked to the press indicated there would be a “Single-award Indefinite Delivery/Indefinite Quantity (IDIQ) contract” and a “Single Cloud Services Provider (CSP) to deliver services for cloud computing infrastructure and platform services.”2

In a second memorandum issued January 4, 2018, Deputy Secretary Shanahan removed Undersecretary Ellen Lord from both leadership and membership on the CESG, and in her place appointed now-Chief Management Officer Jay Gibson to lead the CESG. Defense Digital Service (DDS) Director Chris Lynch would lead the acquisition, and USN Capt. David McAllister of the Strategic Capabilities Office (SCO) would lead the transition of select DoD components or agency systems to the acquired commercial cloud solution. 3

These developments offered considerable scope for speculation, but they further reinforced the impression that a “top-down,” single-award approach to cloud services was likely. Of particular note were the absence of representation of the service branches on the CESG and the omission of any statement of intention regarding their current cloud efforts.

Any lingering doubt ended at a JEDI Industry Day meeting on March 7, 2018. A Defense Department official announced there would be a single award to one provider. In a subsequent conference call with reporters, DoD defended its decision not to pursue a multi-cloud approach.4

Public policy and the DoD’s competitive procurement of services

There is a strong presumption in both law and regulation that DoD will acquire products and services from the private sector on the basis of competitive procurement processes. The exceptions here, quite minor, concern the residual government “arsenal” element of the industrial base, including the national nuclear enterprise to develop, manufacture, support, and test nuclear weapons and other minor, highly specialized items for the DoD or Military Departments.5

There is inevitable tension between the public policy aspiration for competitive source selection for the DoD and mission demands. Urgency may dictate a decision to procure from a sole source. Long and favorable experience with a specific product or service provider may also provide a powerful reason to sustain an existing procurement relationship with a vendor. As the number of vendors in the DoD industrial base has declined substantially (20% in FY 2017), DoD has worked energetically to strengthen the competitive procurement process.6

Also potentially noteworthy is that Deputy Secretary Shanahan, in his prior role in both defense and civil acquisition as a Boeing executive, strongly supported competitive source selection for Boeing’s vendors.

Major public policy issues that should be addressed by the Department of Defense in its procurement of cloud services:

1. Does the IC cloud – Commercial Cloud Services, or C2S, run by CIA – serve as an instructive model for the JEDI cloud? In particular, does the IC’s experience with C2S vindicate DoD’s stated preference to make a single award, and is the C2S marketplace the right structure to emulate to ensure that DoD users have access to best-of-breed commercial applications?
2. Do the unique costs associated with migrating mission-critical platforms and applications to JEDI argue for a more deliberative, mission-by-mission approach to cloud acquisition on the part of DoD? Do the cost, operational and security benefits of an all-encompassing cloud-based architecture outweigh the cost, time, and risk, of incremental adoption of multiple cloud-based architectures based on fielding priorities—for example, to accommodate certain workloads that must run continuously?
3. Does a single award risk limiting the DoD’s access to innovation given the competitive commercial market for cloud services among vendors? Many large enterprises ensure access to innovation by utilizing a multi-cloud approach.
4. Does the cloud eliminate the integration and information-sharing challenges between and among different platforms and applications, or do these challenges remain the same for the cloud as for on-premises services?
5. The Third Offset, the latest iteration of a strategy that seeks to overmatch adversaries through technology, forms the basis of JEDI. In a period when China and Russia have had significant access to U.S. commercial innovation, does DoD best ensure that it keeps ahead of their cloud capabilities through a single-award or multi-cloud approach?
6. How should DoD balance the imperative of interoperability and data exchange with allies’ interest in utilizing the offerings of their countries’ own Cloud Service Providers?
7. Does potential utilization of different cloud service providers for different functionalities (such as data storage, backup and recovery, database and warehousing) contribute effectively to cyber and data security, or does it create added vulnerabilities?
8. Does a cloud-based architecture served by a single supplier create significant or unique security and mission performance risks?
9. Does a heterogeneous supplier base create significant or unique security and mission performance risks?
10. What contract structure would produce the best value for the government in DoD procurement of cloud services? Would the contract structure differ based on whether DoD is contracting with a single source or multiple sources?
11. Should DoD consider an “industrial base” approach to data management, encouraging the commercial viability of numerous CSPs to ensure market breadth and depth for long-term DoD needs?Would the existing model
12. of procuring cloud-based services through large omnibus contracts implemented by multiple task-orders be effective in propagating a competitive cloud-based service market for the DoD?

Background: The DoD’s “Rush to the Cloud”

The Department of Defense (DoD), following the lead of the Intelligence Community (IC), is moving rapidly to adopt cloud-based IT architectures. The perceived urgency relates to such factors as security, data integration, and advanced military mission considerations, as well as the legacy financial pressures of the sequestration era.

Security. First, the widespread success of adversary cyber operations against decentralized US Government and defense industry networks has resulted in a vast loss of data on defense R&D programs for scores of advanced weapon systems (greater than 50 terabytes).7 These losses have been exploited by adversary States, reducing the time they require to field advanced capabilities. While there are compelling cost and efficiency arguments for a shift to a cloud-based architecture, these security concerns have been the most widely shared rationale for the need to “go to the cloud.”8 The security issues have also led DoD to propagate modern information security practices to its core defense industrial base, albeit with only mixed success.9

Data integration. DoD’s military operations, logistics systems, and planning activities have become increasingly dominated by data-driven processes. The pervasive nature of data in turn has increased the role and influence of officials responsible for IT and correspondingly diminished the influence of the conventional acquisition process.

Military missions. No less significant is the evolution of modern concepts of military operations at the tactical and operational levels. Modern military operations and the weapon systems they utilize require and generate vast quantities of data. Tactical and operational exploitation of multiple data series requires real-time integration, which the DoD has found to be facilitated by cloud-based rather than decentralized IT architectures.

Cost. DoD’s leadership believes that transitioning to cloud-based architectures will produce significant cost-savings in the acquisition, management, and operation of IT networks and systems. Cost issues have increased in importance in the sequestration era, particularly given criticism of cost overruns in the F-35 program.

The example of the IC and its salience for the DoD

DoD leadership has derived its current perspective from the experience of the IC. In 2012, as it evolved its strategy for IT modernization, the IC saw the indispensable role that cloud-based computing could play in information assurance and mission success.

The IC also recognized that the benefits of a cloud-based strategy embedded in the organization’s digital transformation would require its propagation at scale.10

The IC consolidated its cloud based services under a single-award service provider, Amazon Web Services, in 2013. The DoD believes that the IC—85 percent of which consists of DoD-funded entities – has been successful in implementing and benefiting from the rapid transition of its 17 agencies to a cloud-based architecture.

The IC’s favorable experience with a single-award cloud services provider has developed supporters in the DoD. However, the IC practice of sustaining long-term single-award incumbencies is inconsistent with law and public policy for DoD regarding competitive procurement of products and services.

In addition, the cloud services market, likely to double in size in less than five years, is already robust, with hundreds of vendors offering various services. Public, private, and hybrid clouds are available, and most services previously conducted on decentralized computer networks are now implemented in the cloud. This was not yet the case when the IC made its cloud award in 2013. Almost all large enterprises now utilize multiple cloud service providers for their data management needs.

About the author:
*William Schneider, Senior Fellow at Hudson Institute.

Source:
This article was published by the Hudson Institute (PDF).

Notes:
1 “One Cloud To Rule Them All At DOD?”. 2018. FCW. https://fcw.com/articles/2017/12/06/pentagon-lord-cesg- cloud.aspx.
2 “Joint Enterprise Defense Infrastructure”. November 6, 2017. U.S. Department of Defense. http://www.nextgov.com/media/gbc/docs/pdfs_edit/121217fk1ng.pdf via
“Pentagon’s Next Cloud Contract Could Be Worth Billions”. 2018. Nextgov.Com. http://www.nextgov.com/it- modernization/2017/12/pentagons-next-cloud-contract-could-be-worth-billions/144506/.
3 “Joint Enterprise Defense Infrastructure”. 2018. U.S. Department of Defense. http://www.nextgov.com/media/gbc/docs/pdfs_edit/121217fk1ng.pdf and “Memorandum for Secretaries of the Military Departments, Subject: Accelerating Enterprise Cloud Adoption”. September 13, 2017. Deputy Secretary of Defense Patrick Shanahan. http://www.documentcloud.org/documents/4059163-DoD-Memo-Accelerating- Enterprise-Cloud-Adoption.html
4 “DOD Defends Its Decision To Move To Commercial Cloud With A Single Award”. 2018. Fedscoop. https://www.fedscoop.com/dod-pentagon-jedi-cloud-contract-single-award/.
5 Else, Daniel. 2011. “The Arsenal Act: Context And Legislative History”. Congressional Research Service. https://fas.org/sgp/crs/natsec/R42062.pdf.
6 Gould, Joe. 2018. “American Exodus? 17,000 US Defense Suppliers May Have Left The Defense Sector”. Defense News. https://www.defensenews.com/breaking-news/2017/12/14/american-exodus-17000-us-defense- suppliers-may-have-left-the-defense-sector/.
Brennan, Ken. 2017. “Improving the Department of Defense Services Acquisition Tradecraft: What’s New In 2017”. Powerpoint Presentation, 2017. https://www.acq.osd.mil/dpap/sa/docs/ImprovingServicesAcquisitionTradecraft2017.pdf.
7 Gertz, Bill. 2018. “NSA Details Chinese Cyber Theft Of F-35, Military Secrets”. Washington Free Beacon.
8 Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics. 2013. “Task Force Report: Cyber Security And Reliability In A Digital Cloud”. Washington: Defense Science Board, Department of Defense. https://www.acq.osd.mil/dsb/reports/2010s/CyberCloud.pdf.
9 Department of Defense. 2016. “DoD’s Defense Industrial Base Cybersecurity (DIB CS) Program: A Public- Private Cybersecurity Partnership”. Washington. https://www.fbcinc.com/e/cybertexas/presentations/Room_302_Wed_1- 145PM_Vicki_Michetti_DIB_101_Cyber_Texas_Aug15.pdf
10 Office of the Director of National Intelligence. 2018. “Intelligence Community Information Technology Enterprise Strategy 2016-2020”. Washington.https://www.dni.gov/files/documents/CIO/IC%20ITE%20Strategy%202016-2020.pdf.
This document superseded an earlier directive by the Director of National Intelligence,
Office of the Director of National Intelligence. 2018. “Intelligence Community Information Technology Enterprise Strategy 2012-2017”. Washington. https://www.dni.gov/files/documents/IC_ITE_Strategy.pdf.